Cisco ise jun os and ios xr - tacacs+ integration

TACACS+ Integration & Configuration Guide

JunOS – predefined login classes
Login class
All users who log into the Services Router must be in a login class. You can define any number of login classes. You then
apply one login class to an individual user account. With login classes, you define the following:
• Access privileges users have when they are logged into the device.
• Commands and statements that users can and cannot specify.
• How long a login session can be idle before it times out and the user is logged off.
Login Class Permission Bits Set
operator clear, network, reset, trace, view
read-only view
super-user and superuser all
unauthorized None
Predefined Login Classes

Junos Steps & Configuration
Configuration Steps
• Create user class and permissions for the class.
• Create local user and apply the userclass.
• Configure the authentication order.
• Configure TACACS+ servers, service name and accounting for AAA.
Configuration on Juniper Switch / Router / Firewalls
User class configuration
set system login class <class_name> idle-timeout 10
set system login class <class_name> permissions clear
set system login class <class_name> permissions interface
set system login class <class_name> permissions network
set system login class <class_name> permissions reset
set system login class <class_name> permissions trace
set system login class <class_name> permissions view
Create local user name and assign the created user class to the user
set system login user <local_user_name> full-name "<local_user_full_name> users"
set system login user <local_user_name> class <user_class>
Configure the authentication order
set system authentication-order tacplus
set system authentication-order password
Configure the tacacs+ servers
set system tacplus-server <server_ip_address> port 49
set system tacplus-server <server_ip_address> secret
<shared_key>
set system tacplus-server <server_ip_address> single-
connection
configure the tacacs+ service name under tacacs+ options
set system tacplus-options service-name junos-exec
set system tacplus-options no-cmd-attribute-value
configure the tacacs+ accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus

IOS XR – Predefined User Group & task Group
User group
A user group defines a collection of users that share a set of attributes, such as access privileges. Cisco IOS XR software allows the system
administrator to configure groups of users and the job characteristics that are common in groups of users. Users are not assigned to groups by
default hence the assignment needs to be done explicitly. A user can be assigned to more than one group.
Task group
A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. Each user group is associated with a
set of task groups applicable to the users in that group. A user’s task permissions are derived from the task groups associated with the user
groups to which that user belongs.
Predefined User Group and task group
User Groups Permission and task can be performed
cisco-support This group is used by the Cisco support team to perform cisco support personnel tasks
netadmin Network administrator tasks - Has the ability to control and monitor all system and network parameters.
operator A demonstration group with basic privileges. Operator day-to-day tasks (for demonstration purposes)
root-lr Has the ability to control and monitor the specific secure domain router. Secure domain router
administrator tasks.
root-system Has the ability to control and monitor the entire system. System-wide administrator tasks
Sysadmin Has the ability to control and monitor all system parameters but cannot configure network protocols.
System administrator tasks
serviceadmin Service administration tasks, for example, Session Border Controller (SBC). Service administration tasks,
for example, SBC

IOS XR Steps & Configuration
Configuration Steps
• Create task group and user group.
• Configure the tacacs+ servers and server group.
• configure the AAA service and authentication order.
Configuration on IOS XR routers
User group and task group configuration
configure terminal
!
taskgroup <task_grp_name>
task write interface
task execute interface
!
usergroup <user_grp_name>
taskgroup <task_grp_name>
!
Configure the tacacs+ servers and aaa server group
tacacs-server host <server_ip_address> port 49
key 7 <shared_key>
!
aaa group server tacacs+ <server_group>
server <server_ip_address1>
server <server_ip_address2>
vrf Mgmt-intf
!
configure the AAA service & authentication order
!
aaa accounting exec default start-stop group <server_group>
aaa accounting system default start-stop group <server_group>
aaa accounting network default start-stop group <server_group>
aaa accounting commands default start-stop group <server_group>
aaa authorization exec default group <server_group> local
aaa authentication login default group <server_group> local
aaa accounting update newinfo
!
Commit
!
end

Cisco ISE Device Administartion – TACACS+
Network Device Groups
• Cisco ISE allows you to create hierarchical Network Device Groups (NDGs).
• NDGs can be used to logically group network devices based on various criteria, such as geographic location, device type, or the relative
place in the network (Access Layer, Data Center, and so on).
Network Device Attributes Used By Cisco ISE in Policy Evaluation
• When you create a new network device group, a new network device attribute is added to the Device dictionary defined in the system,
which you can use in policy definitions.
• Cisco ISE allows you to configure authentication and authorization policies based on Device dictionary attributes, such as device type,
location, model name, and software version that is running on the network device.
Network Device
• Cisco ISE looks for the corresponding device definition to retrieve the shared secret that is configured in the network device definition when
it receives a RADIUS or TACACS request from a network device.
• Cisco ISE performs the following procedure when a RADIUS or TACACS request is received:
• Looks for a specific IP address that matches the one in the request.
• Looks up the ranges to see if the IP address in the request falls within the range that is specified.
• If both step 1 and 2 fail, it uses the default device definition (if defined) to process the request.
• Cisco ISE obtains the shared secret that is configured in the device definition for that device and matches it against the shared secret
in the RADIUS or TACACS request to authenticate access. If no device definitions are found, Cisco ISE obtains the shared secret from
the default network device definition and processes the RADIUS or TACACS request.

Cisco ISE TACACS+ – Congiguration Steps
Configuration Steps
• Create a Network Device Groups in Cisco ISE.
• Create a Network Device Definition in Cisco ISE.
• Create allowed Protocols service for TACACS+ Device Administration.
• Create TACACS+ Profile.
Create Network Device Groups
• Choose Administration > Network Resources > Network Device Groups > Groups.
• Expand groups and All Device Type
• Click on Add Button. Configure Name, Description and Devcie Type.
• Click on Submit button to save the Network Device Groups.
Network Device groups
Name Juniper-Network-Device
Description All Juniper Network Device
Type Device Type (Default)
Network Device groups
Name Cisco IOS XR Network Device
Description All Cisco IOS XR Network Device
Type Device Type (Default)

Create Network Device Definition
• Choose Administration > Network Resources > Network Devices.
• Click on Add button.
• Enter the required information in the Network Devices section.
• Check the TACACS Authentication Settings check box to configure the TACACS protocol for authentication.
• Click on Submit button to save the configuration.
Network Device Definition
Name Hostname of the device
Description Description of the device
IP Address Management IP address
Device Type Choose the Network Devcie group that
has been created earlier.
TACACS Authentication Settins Check the Checkbox to enable
Shared Secret Key Shared key should similar to the one
configured on network device

Create Allowed Profile Services
• Navigate to the Work Centers > Device Administration > Policy Elements > Results > Allowed Protocols .
• Enter the required information in the Allowed Protocols section.

Create TACACS profile
• Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles > Add.
• Enter the required information in the TACACS Profile section.
• Common Task choose  Shell, on Custom Attributes, Click on Add button.
• Enter the Type Mandatory/Optional, Name and Value.
TACACS profile
Name JunOS_RO
Description Description of Task that can be
performed
Common Task Type Shell
Custom Attribute Choose the Network Devcie group that
Type Optional
Name local-user-name
Value <local_user_name>
TACACS profile
Name IOS_XR_RO
Description Description of Task that can be
performed
Common Task Type Shell
Custom Attribute Choose the Network Devcie group that
Type Mandatory
Name task
Value “#<user_grp_name>

Create Device Admin Policy Set
• Navigate to Work Centers > Device Administration > Device Admin Policy Sets.
• In the left pane, select a current policy set above (below) which the new policy set is to be added.
• In the left pane, click Create Above to create a new policy set.
• Click Edit and enter the Name, Description, and Condition.
• Click Done.
• Create the required Authentication policy.
• Create the required Authorization Policy.
• Click Submit to create the new policy set.
Status Name Condition
Enabled Junos_TACACS DEVICE:Device Type EQUALS Device Type#All Device Types#Juniper-Network-Devices
Rule Name Condition Identity source
Default if no match, allowed protocols:Junos_allowed_protocols Use: Active_Directory
Status Rule Name Condition Shell profile
Enabled Junos_Read_Only If any AND Active_Directory:ExternalGroups CONTAINS Networks-Operators Junos_RO
Enabled Junos_Full_Access If any AND Active_Directory:ExternalGroups CONTAINS Networks-Administrators Junos_FA

Cisco ISE TACACS+ – Live Log
After completing the configuration on Network device and Cisco ISE, Device administration on network device will be authenticated against
Cisco ISE TACACS service.
Verification – Live Log
• Login to Cisco ISE and navigate to Operation, Under TACACS  Live log.
• Login to the network device using the TACACS+ user credentials.
• Click on refresh button on left hand corner to show the latest TACACS log.
• If successfully authenticated, the log will show the device group match followed by authentication policy match.
• If successfully authorized, the log will show the authorization policy that matched and the shell profile applied for the user.
• If not successful, the log will show be shown and by cicking the magnifier glass under detail coloumn will show the detailed report and
cause for failure.
User role and permission verification
• On cisco IOS XR, on successful login
• Enter the following command on CLI:
• show user all – will list the user group and task group with permitted task.
• On JunOS, on successful login,
• Enter the following command on CLI:
• show cli authorization – will display local username, login class and the permissions.

Cisco ise jun os and ios xr - tacacs+ integration

In this document

More Related Content

What's hot

Similar to Cisco ise jun os and ios xr - tacacs+ integration

Recently uploaded

Cisco ise jun os and ios xr - tacacs+ integration